valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 02:18:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
898 Commits 2 Branches 109 Tags 25 MiB
56014b9c31
Commit Graph

79 Commits

Author SHA1 Message Date
Teddy Reed
2b1cd4eee3 Towards predicate constraint checking 2014-11-29 22:36:05 -08:00
Wesley Shields
7abc9f75f2 Implement logged_in_users. 
Fixes #9.
 2014-11-22 23:49:37 -05:00
Teddy Reed
4de3c8a0cf Fix memory leaks in USB Devices for OSX 2014-11-22 18:04:47 -08:00
Nick
acad6d8e8d Added USB device support for Mac (Linux coming next) 2014-11-22 17:42:56 -08:00
Teddy Reed
1961921d95 Pull process_open_files out of processes.cpp and reduce logging 2014-11-20 17:19:04 -08:00
Li-Wen Hsu
4f8006ad02 Add dummy table implementations for FreeBSD 2014-11-19 05:07:59 +08:00
Li-Wen Hsu
6c55b51c53 Merge branch 'master' into freebsd-build 
Conflicts:
	osquery/core/system.cpp
	tools/provision.sh
 2014-11-19 01:50:38 +08:00
Mike Goffin
57faad63fa Merge branch 'master' into mounts_table 2014-11-17 15:03:50 -05:00
Mike Goffin
6cddf4ad39 Mounts table for Darwin. 
Associated with #255, this adds Mounts table support for Darwin.
 2014-11-17 13:43:59 -05:00
Teddy
968f8027e6 Cleaner arp_table->arp_cache on Linux/OSX 2014-11-17 02:37:15 -08:00
Teddy Reed
ee015343f9 Simplify arp, move to arp_table 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
4f524abbea arp vtable different implementation in osx and linux 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
1843d80660 arp vtable with ip, arp and interface where it was seen 2014-11-16 19:49:40 -08:00
Li-Wen Hsu
e49537c8fa Add libraries and settings for FreeBSD 2014-11-16 01:41:50 +08:00
Abe Stanway
322fde0121 Socket_inode and port_inode tables to map PIDs->ports via netlink inet_diag 
Example query:
```
SELECT port.local_port,
       port.remote_port,
       port.local_ip,
       port.remote_ip,
       socket.pid,
       process.name,
       process.cmdline
       process.path
       FROM socket_inode AS socket
       JOIN port_inode AS port
       ON socket.inode = port.inode
       INNER JOIN processes AS process
       ON socket.pid = process.pid;
```
 2014-11-10 15:02:31 -05:00
Zachary Wasserman
0b30b9f692 Add basic Mac startup items vtable 2014-11-04 11:40:54 -08:00
Alexander Polakov
274e037527 Blockdev table for linux 2014-11-03 23:39:14 +03:00
Akshay Dixit
6c418507e6 renamed lspci to pci_devices and specified it linux only 2014-11-02 21:09:04 -07:00
Akshay Dixit
afd9d5e160 changed lspci to be a linux only virtual table, and added udev dependency to provisions.sh 2014-11-02 21:07:35 -07:00
Akshay Dixit
7896e7f78e added lspci virtual table and libudev dependencies 2014-11-02 21:03:43 -07:00
Alexander Polyakov
58716d6cfa Mounts table for linux 2014-11-01 16:12:56 +03:00
Teddy Reed
eb240ac527 RPM table and more robust Linux building 2014-10-31 21:59:10 -07:00
castrapel
2557bac3d4 RPM Package listing is now working 2014-10-31 16:52:58 -07:00
Pablo S. Torralba
a6e04efdd7 Add quarantine vtable for OSX 
The tables reports:
- path: The file in quarantine
- creator: The application that created the file

Example:
osquery> select * from quarantine limit 10;

+----------------------------------------------------------------------------+---------------+
| path                                                                       | creator       |
+----------------------------------------------------------------------------+---------------+
| /Applications/Adium.app                                                    | Google Chrome |
| /Applications/Adium.app/Contents                                           | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature                            | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature/CodeResources              | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks                                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Adium          | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Headers        | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/PrivateHeaders | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Resources      | Google Chrome |
+----------------------------------------------------------------------------+---------------+

Fixes issue #231
 2014-10-31 06:10:51 -07:00
Teddy Reed
39f866387f [vtables] CPUID asm call feature information 2014-10-29 03:09:34 -07:00
Teddy Reed
1f1b38976a Merge pull request #261 from facebook/crontab 
[vtables] Crontab parsing for system/users
 2014-10-29 02:52:11 -07:00
Teddy Reed
6db0c67555 Merge pull request #269 from vmauge/suidbin 
Add suid_bin vtable
 2014-10-29 02:30:29 -07:00
Vincent Mauge
471d5faaa0 Add suid_bin vtable 
The vtabel report :
- path: full path of the file
- unix_user: name of the owner (if not available display the uid)
- unix_group: name of the groupe (if not available display the gid)
- permissions: report suid or guid
	* S for suid bin
	* G for guid bin

Example :
osquery> select * from suid_bin;
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| path                                                                                               | unix_user | unix_group    | permissions |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| "/bin/ps"                                                                                          | root      | wheel         | S           |
| "/bin/rcp"                                                                                         | root      | wheel         | S           |
| "/Users/vmauge/suid_test"                                                                          | vmauge    | 999           | SG          |
| "/usr/bin/at"                                                                                      | root      | wheel         | S           |
| "/usr/bin/atq"                                                                                     | root      | wheel         | S           |
| "/usr/bin/atrm"                                                                                    | root      | wheel         | S           |
| "/usr/bin/batch"                                                                                   | root      | wheel         | S           |
| "/usr/bin/crontab"                                                                                 | root      | wheel         | S           |
| "/usr/bin/ipcs"                                                                                    | root      | wheel         | S           |
| "/usr/bin/lockfile"                                                                                | root      | mail          | G           |
| "/usr/bin/login"                                                                                   | root      | wheel         | S           |
| "/usr/bin/newgrp"                                                                                  | root      | wheel         | S           |
| "/usr/bin/procmail"                                                                                | root      | mail          | G           |
| "/usr/bin/quota"                                                                                   | root      | wheel         | S           |
| "/usr/bin/rlogin"                                                                                  | root      | wheel         | S           |
| "/usr/bin/rsh"                                                                                     | root      | wheel         | S           |
| "/usr/bin/su"                                                                                      | root      | wheel         | S           |
| "/usr/bin/sudo"                                                                                    | root      | wheel         | S           |
| "/usr/bin/top"                                                                                     | root      | wheel         | S           |
| "/usr/bin/wall"                                                                                    | root      | tty           | G           |
| "/usr/bin/write"                                                                                   | root      | tty           | G           |
| "/usr/sbin/postdrop"                                                                               | root      | _postdrop     | G           |
| "/usr/sbin/postqueue"                                                                              | root      | _postdrop     | G           |
| "/usr/sbin/rpc.net"                                                                                | root      | wheel         | S           |
| "/usr/sbin/rpcset"                                                                                 | root      | wheel         | S           |
| "/usr/sbin/traceroute"                                                                             | root      | wheel         | S           |
| "/usr/sbin/traceroute6"                                                                            | root      | wheel         | S           |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+

This commit fixes issue #253.
 2014-10-29 01:33:58 -07:00
Teddy Reed
339b63677e [vtables] Rename homebrew files, some cleanup 2014-10-29 00:34:55 -07:00
Martin Majlis
d645dfc257 Initial implementation for the homebrew table. 2014-10-28 21:03:56 -07:00
Martin Majlis
8b8ec7c644 Added initial implementation for crontab. 2014-10-28 17:52:03 -07:00
Javier Marcos
1066f667ab Adding virtual table bash_history, for linux and darwin 2014-10-22 15:21:05 -07:00
Javier Marcos
06792db7f0 Adding support for last in linux 2014-10-13 18:19:08 -07:00
Javier Marcos
b518c6b9e0 Adding groups vtable and refactoring users 2014-10-10 15:09:14 -07:00
mike@arpaia.co
f45798d31a OMG memory leaks 2014-10-09 18:08:31 -07:00
Javier Marcos
64ce35c949 Virtual table to be build in both linux and mac 2014-10-09 15:27:18 -07:00
Javier Marcos
7944ab50da Adding vtable for users 2014-10-09 12:50:34 -07:00
Teddy Reed
69bfb92905 [events] Fleshing out OSX FSEvent framework 2014-10-02 21:30:14 -07:00
Teddy Reed
ed338e8356 [events] Events lifecycle complete, passwd_changes vtable 2014-09-26 12:58:32 -07:00
mike@arpaia.co
6beb5d1247 Moving table generation to CMake 
CMake now handles building all of the generated code.
 2014-09-23 17:55:54 -07:00
mike@arpaia.co
4218a4c2ab cmake cleanups 2014-09-22 21:23:16 -07:00
mike@arpaia.co
9e2507409c linking tests against libosquery 2014-09-22 19:54:59 -07:00
Mike Arpaia
db0f0105dd Revert "Skip tests when making 'fast'" 2014-09-09 21:37:08 -07:00
Teddy Reed
2e150ef8a9 Skip tests when making 'fast' 2014-09-09 16:25:22 -07:00
Teddy Reed
825b50f932 [vtables] Routes table for Linux 2014-09-09 16:07:36 -07:00
Teddy Reed
bfba3d491d Merge pull request #117 from facebook/linux-processes-vtable 
[vtables] Processes table for Linux (procps3)
 2014-09-09 14:43:26 -07:00
Mike Arpaia
d6699bd0fe Adding header files to CMakeLists.txt so that other build tools can perform better introspection into the codebase. 2014-09-09 10:53:59 -07:00
Teddy Reed
c6a7e86b18 [vtables] Processes table for Linux (procps3) 2014-09-08 22:42:17 -07:00
mike@arpaia.co
c72d069689 vagrant and make deps on linux 2014-09-08 19:24:23 -07:00
Teddy Reed
7e470747b4 Moving sublibs to single libosquery 2014-09-08 01:58:29 -07:00